CVE-2019-1432

Vulnerability

An information disclosure vulnerability exists in the DirectWrite library included with Microsoft Windows. The issue, tracked as ZDI-19-974, lies within the parsing of font files. Specifically, the lack of proper validation of user-supplied font data can result in reading past the end of an allocated buffer (out-of-bounds read). Affected products include all supported editions of Windows. The vulnerability is distinct from CVE-2019-1411, another DirectWrite disclosure issue. [1]

Exploitation

Exploitation requires user interaction. An attacker must convince a target to either visit a malicious web page that hosts a specially crafted font or open a malformed font file directly. No authentication or local access is needed, but the user must perform the action for the vulnerable code path in DirectWrite (e.g., via a browser or application rendering the font) to be triggered. [1]

Impact

Successful exploitation leads to an out-of-bounds read that can disclose memory contents of the DirectWrite library. While this is an information disclosure vulnerability only (CVSS 3.3, Low severity), the leaked data could potentially be combined with other vulnerabilities to achieve code execution in the context of the current process. The confidentiality impact is partial, and there is no direct integrity or availability impact. [1]

Mitigation

Microsoft addressed this vulnerability in the November 2019 Patch Tuesday update. Users should apply the latest security updates via Windows Update or as recommended by their organization's patch management process. There is no known workaround for unpatched systems. Microsoft has not listed this CVE in the Known Exploited Vulnerabilities (KEV) catalog. [1]